Transcription

2 Threat Landscape Continuously evolving Network connectivity is constantly increasing More capable, diverse and distributed Attacks are increasing in sophistication and frequency Assets High Value Targets the threat to NASA s information security is persistent and ever changing. Unless NASA is able to continuously innovate and adapt, their data, systems, and operations will continue to be endangered. Congressional Subcommittee on Investigations and Oversight; Committee on Science, Space, and Technology, Feb

3 IV&V SSO IA Mission Ensuring Mission and Safety Critical Software and Systems Operate Reliably, Safely, and Securely Perform the information system and security control assessment and monitoring techniques that NIST attributes to the IV&V assessor. Risk Management Framework for the design, development, implementation, operation, maintenance, and disposition of federal information systems. Perform Security Analyses throughout the development life-cycle. IEEE-1012 Standard for System and Software V&V Counteract the threat landscape throughout the system life-cycle, to include for ground, satellite, and command & control systems. Techniques deployed throughout project life-cycle phases. 3

4 Basis FISMA requires each agency to use a risk-based approach to develop, document, and implement an agency wide security program for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. OMB-130 Security of Federal Automated Information Systems Agency directives 4

5 Security Objectives CONFIDENTIALITY Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information A loss of confidentiality is the unauthorized disclosure of information. INTEGRITY Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity A loss of integrity is the unauthorized modification or destruction of information. AVAILABILITY Ensuring timely and reliable access to and use of information A loss of availability is the disruption of access to or use of information or an information system. Source: 44 U.S.C., Sec

6 Adequate Security Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. This includes assuring that systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls. Source: OMB Circular A-130, Appendix III 6

8 Assessment Process of determining how effectively an entity being assessed (the assessment object: e.g., host, system, network, procedure, person) meets specific security objectives. Comprehensive testing of the security controls in an information system to ascertain system vulnerabilities and the risk associated with system authorization. 8

9 Authorization The official management decision given by a senior organizational official Authorizes operation of an information system Explicitly accepts the risk to organizational operations and assets, individuals, or other organizations, based on the implementation of an agreed-upon set of security controls. Ensures Adequate countermeasures and mitigating factors are in place Adequate countermeasures and mitigating factors are operating as intended Risk level is understood and thoroughly documented. 9

11 Security Categorization POTENTIAL IMPACT Security Objective Confidentiality Integrity Availability LOW MODERATE HIGH The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. 11

12 Security Controls For low-impact information systems For moderate-impact information systems For high-impact information systems organizations must, as a minimum, employ appropriately tailored security controls from the low baseline of security controls defined in NIST SP and must ensure that the minimum assurance requirements associated with the low baseline are satisfied. organizations must, as a minimum, employ appropriately tailored security controls from the moderate baseline of security controls defined in NIST SP and must ensure that the minimum assurance requirements associated with the moderate baseline are satisfied. organizations must, as a minimum, employ appropriately tailored security controls from the high baseline of security controls defined in NIST SP and must ensure that the minimum assurance requirements associated with the high baseline are satisfied. Organizations must employ all security controls in the respective security control baselines unless specific exceptions are allowed based on the tailoring guidance provided in NIST SP

15 IV&V Security Analysis IEEE , Standard for System and Software Verification and Validation Security Analysis throughout to verify that the system-required threat controls and safeguards are correctly implemented and to validate that they provide the desired levels of protection of system vulnerabilities. IVV Verify and Validate Concept Documentation 2.6 Ensure that security threats and risks are known and documented and that relevant regulatory requirements are identified. 15

16 IEEE Std Specific V&V activities that may be appropriate for critical security requirements necessary to control threats and exposure to vulnerabilities may include the following activities: a) Traceability of critical requirements through the life cycle to verify implementation. b) Evaluation of potential threat sources and vulnerabilities to validate that critical security requirements are complete and are appropriate for the system operational need. c) Evaluation of architectures and designs to determine whether security functions meet required capabilities, whether additional threat controls are needed, and whether design changes are needed to remove vulnerabilities. d) Application of verification methods (analyses, inspections, demonstrations, or tests) that are intended to determine whether plausible threats can exploit vulnerabilities. These verification methods may include the following: 1) Statistical analyses to determine whether the probability of breaching a security control is within acceptable levels. This may include simulations or mathematical models (e.g., for encryption methods). 2) Inspections to verify that security controls are implemented as specified. This may also include inspections that regulatory or policy standards have been followed. 3) Demonstrations in an operational setting to show that security controls are reasonable and effective. 4) Tests to verify that specific security controls (physical, procedural, and automated controls) cannot be breached. For IT systems, this may also include vulnerability scanning and penetration testing. 16

20 Inspiration NIST Wants Developers of Critical Systems to Consider Security From the Start The US National Institute of Standards and Technology (NIST) wants developers of critical systems to build security into their products from the ground up. The voluntary guidelines are intended to be a roadmap for IT management responsible for securing systems that underlie the country s critical infrastructure. The 121-page draft document describes 11 core technological processes in systems and software development. The draft is open to public comment through July 11, One of the document s co-authors describes it as a disciplined and structured process to show how... security actually does get baked into the process. SANS NewsBites Vol. 16 Num. 039 I applaud the attempt to shift attention from the component-level to the systemlevel and move the consideration of threats to the earliest stage (design requirements) in the lifecycle. organizations remain ill-equipped to implement what is suggested [in SP ]. SANS NewsBites Editor 20

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal

FISCAM FISCAM 3.1 Security (SM) Critical Element SM-1: Establish a SM-1.1.1 The security management program is adequately An agency/entitywide security management program has been developed, An agency/entitywide

SEPTEMBER 16, 2010 AUDIT REPORT OFFICE OF AUDITS REVIEW OF NASA S MANAGEMENT AND OVERSIGHT OF ITS INFORMATION TECHNOLOGY SECURITY PROGRAM OFFICE OF INSPECTOR GENERAL National Aeronautics and Space Administration

1 Security Compliance In a Post-ACA World Security Compliance in a Post-ACA World Discussion of building a security compliance framework as part of an ACA Health Insurance Exchange implementation. Further

THE SYSTEM DEVELOPMENT LIFE CYCLE (SDLC) Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology The most effective way to protect

Review of the SEC s Systems Certification and Accreditation Process March 27, 2013 Page i Should you have any questions regarding this report, please do not hesitate to contact me. We appreciate the courtesy

PUBLIC LAW 113 283 DEC. 18, 2014 128 STAT. 3073 Public Law 113 283 113th Congress An Act To amend chapter 35 of title 44, United States Code, to provide for reform to Federal information security. Be it

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014 Revision History Update this table every time a new edition of the document is published Date Authored

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION CONTRACTOR SECURITY OF THE SOCIAL SECURITY ADMINISTRATION S HOMELAND SECURITY PRESIDENTIAL DIRECTIVE 12 CREDENTIALS June 2012 A-14-11-11106

FREQUENTLY ASKED QUESTIONS Continuous Monitoring 1. What is continuous monitoring? Continuous monitoring is one of six steps in the Risk Management Framework (RMF) described in NIST Special Publication

DEPARTMENT OF VETERANS AFFAIRS VA HANDBOOK 6500.5 Washington, DC 20420 Transmittal Sheet March 22, 2010 INCORPORATING SECURITY AND PRIVACY INTO THE SYSTEM DEVELOPMENT LIFE CYCLE 1. REASON FOR ISSUE: This

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. ELECTION ASSISTANCE COMMISSION EVALUATION OF COMPLIANCE WITH THE REQUIREMENTS OF THE FEDERAL INFORMATION SECURITY MANAGEMENT

Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries

Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting

EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503 THE DIRECTOR August 6, 2003 M-03-19 MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES FROM: SUBJECT: Joshua

1 CNSSI No. 1253 15 March 2012 SECURITY CATEGORIZATION AND CONTROL SELECTION FOR NATIONAL SECURITY SYSTEMS Version 2 THIS DOCUMENT PRESCRIBES MINIMUM STANDARDS YOUR DEPARTMENT OR AGENCY MAY REQUIRE FURTHER

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Information Systems Acquisitions, Development, and Maintenance v1.0 October 15, 2013 Revision History Update this table every time a new

IG MATURITY MODEL FOR FY 2015 FISMA 1 Ad-hoc 1.1 program is not formalized and activities are performed in a reactive manner resulting in an adhoc program that does not meet 2 requirements for a defined

H. R. 2458 48 (1) maximize the degree to which unclassified geographic information from various sources can be made electronically compatible and accessible; and (2) promote the development of interoperable

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL FY 2015 INDEPENDENT EVALUATION OF THE EFFECTIVENESS OF NCUA S INFORMATION SECURITY PROGRAM UNDER THE FEDERAL INFORMATION SECURITY MODERNIZATION

In Brief Smithsonian Institution Office of the Inspector General Smithsonian Institution Network Infrastructure (SINet) Report Number A-09-01, September 30, 2009 Why We Did This Audit Under the Federal

U.S. DEPARTMENT OF COMMERCE Office of Inspector General United States Patent and Trademark Office FY 2009 FISMA Assessment of the Patent Cooperation Treaty Search Recordation System (PTOC-018-00) Final